When EMV Isn't High-Tech Enough, New Secure Cards Emerge

The age of the interactive card may have finally arrived, ushered in by the U.S. shift to the EMV standard.

EMV cards improve security at the point of sale, but do nothing to protect card-not-present channels such as the Web. But with consumer awareness of security heightened by recent data breaches, companies like FiTeq are developing their own "super EMV card" to display one-time passcodes or other data to protect e-commerce transactions.

This pitch has been made many times before, such as when banks were tasked by the Federal Financial Institutions Examination Council nearly a decade ago to bulk up security for online banking. Most banks decided that one-time password cards and tokens were too expensive, and opted for cheaper software-based systems.

Now that banks are investing in more secure  and more expensive  EMV card technology, they may be receptive to improving security throughout the payment system rather than just at the point of sale.

According to FiTeq, its interactive cards can render stolen data worthless to hackers because they will lack the dynamic codes needed to make a purchase, said Joan Ziegler, CEO and founder of Tiburon, Calif.-based FiTeq.

FiTeq is taking the payment data encryption methods used in contactless or mobile transactions and "bringing it to a global card that will provide dynamic data no matter where the user is shopping," Ziegler said.

A consumer using a FiTeq card must activate it by pressing a button before each swiped transaction to produce dynamic data if using the card's mag-stripe at a terminal, Ziegler said. A separate button provides a unique security code for online purchases.

Currently, if a FiTeq card is lost or stolen, the bank would still need to reissue it. In the future, FiTeq plans to add PIN or fingerprint biometrics as extra layers of security, making it harder to misuse stolen cards. FiTeq estimates that a bank issuing its cards can save up to $188 per breached account if one of its merchant clients or the bank suffers a breach.

FiTeq is developing "a pretty intriguing technology that certainly addresses a number of pain points," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.

But the shift to EMV may be more of a barrier than an enabler for interactive cards, she said. Issuers are so focused on the EMV transition they may not be receptive to the idea of adding even more technology.

Still, issuers have an interest in display cards as a potential answer to card-not-present fraud, Conroy said. "But it's a lower priority relative to initiatives like upgrading infrastructure, to support risk-based authentication for 3-D Secure, tokenization and better analytics," she added.

FiTeq markets its new card as a money saver and another strong layer for data protection that can be used alongside point-to-point encryption or tokenization. Point-to-point encryption protects the cardholder's personal account number and expiration date as a transaction moves through a network, while tokenization replaces the account number with a unique token when that data is stored.

The payments industry has seen many other efforts to establish display cards for consumers.

Late last year, Oberthur Technologies launched its display card with extra fraud protection using technology from NagraID Security, with a screen on the card that allows the cardholder to change the security code. The screen regularly refreshes the code according to an algorithm loaded in a chip embedded in the card.

In 2012, MasterCard issuers made its version of a display card available to consumers, offering an LED screen and keyboard on the card for users to generate single-use numerical passwords for authentication of online purchases.

The vendor Dynamics has marketed multiple versions of a card that lets the user generate new account numbers on its screen and even rewrite the card's stripe for each purchase.

And seven years ago, Innovative Card Technologies Inc. (InCard) developed a DisplayCard that generates a one-time use numeric code for online banking authentication.

FiTeq plans on completing certification of its product with the major card networks in the next month so it can make the cards available during early in the second quarter of 2015, Ziegler said.

FiTeq has production plants in Florida to create the electronic powered EMV cards at a pace of up to 1.5 million cards a month, Ziegler said. "As big as this industry is, you have to have the equipment that can scale up gradually, and we have that."

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry